Addressing threats to health care's core values, especially those stemming from concentration and abuse of power. Advocating for accountability, integrity, transparency, honesty and ethics in leadership and governance of health care.

Wednesday, May 18, 2011

Another Blow to the Health IT Idealists: Sony CEO Howard Stringer, and HHS OIG, on Information Security

In a series of Healthcare Renewal posts such as those linked below, I pointed out that healthcare IT information security was largely a pipe dream, and that plans to create a national network of health information, while a seductive idea dating to the beginnings of computer networking, is not a good idea now.

TOKYO—After spending weeks to resolve a massive Internet security breach, Sony Corp. Chief Executive Howard Stringer said he can't guarantee the security of the company's videogame network or any other Web system in the "bad new world" of cybercrime.

Mr. Stringer's comments in a phone interview Tuesday, ahead of a New York roundtable discussion with reporters, come on the heels of a trying month for Sony. The company partially restored two of its online game systems and a streaming movie and music service over the weekend after shutting the services for several weeks when a breach compromised the personal information of more than 100 million account holders.

While Sony has restored part of the PlayStation Network—an online game system for its PlayStation 3 videogame console—in the U.S. and Europe and bolstered security measures, Mr. Stringer, 69 years old, said maintaining the service's security is a "never-ending process" and he doesn't know if anyone is "100% secure."

He said the security breach at PSN, Sony Online Entertainment, an online game service for personal-computer users, and its Qriocity streaming video and music network his company could lead the way to bigger problems well beyond Sony, or the gaming industry. He warned hackers may one day target the global financial system, the power grid or air-traffic control systems. [And healthcare, where identity theft, data alteration, and data destruction might occur - ed.]

I really don't think this is the time to be setting up a national health information network.

Beyond that, I offer no additional comments, other than that regarding the impossibility of keeping healthcare information secure on a national or even regional network, you may have heard it first here at Healthcare Renewal.

It would be prudent and consistent with the Hippocratic Oath to tone down our grandiose expectations and grandiose plans for these technologies in healthcare.

If you feel insecure yet, just wait a moment.

Going from very, very bad to very much worse:

An independent audit of ONC's and CMS's security programs by the HHS OIG (Office of the Inspector General) produced concerning if not alarming results to say the least:

The audits were conducted by the Department of Health and Human Services' Office of Inspector General, and targeted HIT security standards, privacy protection under HIPAA, and other security measures at the Centers for Medicare & Medicaid Services, and the Office of the National Coordinator. "These two reports are being issued simultaneously because OIG found weaknesses in the two HHS agencies entrusted with keeping sensitive patient records private and secure," OIG said in a media release.

The CMS audit, Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight, examined seven hospitals across the country and found 151 "vulnerabilities" in systems and controls that are designed to safeguard electronic protected health information.

"These vulnerabilities placed the confidentiality, integrity, and availability of ePHI at risk. Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries' personal data and performed unauthorized acts without the hospitals' knowledge," the OIG audit said. "As a result, CMS had limited assurance that controls were in place and operating as intended to protect electronic protected health information, thereby leaving ePHI vulnerable to attack and compromise.

OIG's Audit of Information Technology Security Included in Health Information Technology Standards examined ONC's mandate under the HITECH Act to develop HIT security as part of a national HIT interoperability infrastructure. The audit found "no HIT standards that included general information IT security controls … which provide the structure, policies, and procedures that apply to a healthcare provider's overall computer operations, ensure the proper operation of information systems [which obviously also impacts patient safety - ed.], and create a secure environment for application systems and controls.

That's not very reassuring. In fact, it is downright frightening. ONC has to learn such lessons from HHS OIG? Read the whole thing.

I somewhat mordantly note that organizations such as ONC and CMS would probably never hire a person like me, who might actually kick-start true critical thinking on these issues. This is due to my non-bien pensant "bad attitudes", and lack of faith in cybernetic idols.

Click to enlarge. A well-known idol of gold. Computer circuits use gold, no?

Oh Scott, I'm sure everything will turn out OK. Our elected leaders know best, you should just shush up. I mean what does experience with all the old stuff you did mean, and all of the reports you cite to support a slow down of HIT are based on data at least 6 months old. Everything has changed in the past week or two, so nothing you say has any weight.

Contributors

Contact Us

Email: info at firmfound dot org
or go to the web-site for FIRM - the Foundation for Integrity and Responsibility in Medicine

More About FIRM and Health Care Renewal

FIRM - the Foundation for Integrity and Responsibility in Medicine is a 501(c)3 that researches problems with leadership and governance in health care that threaten core values, and disseminates our findings to physicians, health care researchers and policy-makers, and the public at large. FIRM advocates representative, transparent, accountable and ethical health care governance, and hopes to empower health care professionals and patients to promote better health care leadership.

FIRM depends on contributions from individuals and non-profit organizations. FIRM does not accept any direct support from for-profit health care corporations.

FIRM welcomes support from individuals and non-profit organizations. If you are interested in donating to FIRM, please email info at firmfound dot org, snail mail us at 16 Cutler St, Suite 104, Warren, RI, 02885, USA, or see our web-site.

Upcoming Meetings and Events

Subscribe To Health Care Renewal

Policies: Blog Roll and Comments

Our blogroll is meant to include blogs that provide interesting content relevant to what we write. It is not an endorsement in any way of any specific blog.

We accept comments, especially from registered Blogger users. If you do not wish to register with Blogger, we will accept anonymous comments, although prefer that they contain identification of the commenter.

We encourage thoughtful comments relevant to the issues brought up by the posts on Health Care Renewal.

All comments are moderated. We will reject spam, profanity, advertising of products or services not directly related to the content of this blog.

We will reject any unsubstantiated accusations or allegations.

Nonetheless, all comments represent only the opinions of those making them. The appearance of comments does not imply endorsement by the Health Care Renewal bloggers.

Please email general comments about the blog, other concerns, or questions to info AT firmfound DOT org